At line 1 changed one line |
This plugin allows you to integrate CrushFTP with your LDAP server, such as the Microsoft Active Directory server, or OpenLDAP, etc. |
This plugin allows us to integrate CrushFTP with your LDAP server, such as the Microsoft Active Directory server, or OpenLDAP, etc. |
At line 3 changed one line |
The settings should be self explanatory. The LDAP roles expects a full path to an LDAP group. Such as: CN=FTPUsers, CN=groups, DC=domain, DC=com |
The settings can be grouped into three major sections, based on functionality: |
At line 5 changed one line |
The 'member' field is a field in the group that matches the full username value of the user who is trying to authenticate. if that fails, the user's attributes are searched for one that has a memberOf field matching the group. |
!!!1. Connectivity settings |
At line 7 changed one line |
The search filter is the attribute used to find a match to the username being used during logon. |
[attachments|ldapconn1.png] |
At line 9 changed one line |
[attachments|Clipboard01.jpg] |
LDAP server URL, fully qualified user name and password of an LDAP account used for queries. |
The account needs read only access on the full LDAP tree. |
The plugin supports __referral chasing__, in case of multiple forests with trust relationship between, can allow this by setting the __Follow referrals__ option. |
At line 11 changed one line |
If you enable LDAP only used for authentication, then once the credentials are verified, crush finds a username in [User Manager] that matches the same username that was used to login with. Only if it find the user will the login proceed. |
To use a secure LDAP (__ldaps://__) URL, set either the __Accept any SSL certificate__ option or import the LDAP server public certificate into the Java trust store, __cacerts__. |
At line 13 changed one line |
If you instead use the HomeDirectory method, Crush find that attribute in the user and assigns that as the user's home folder and grants them access to that folder. It does not enforce ACLs though, so you assign the permissions to that folder here. You can also specify an alternate local directory to use to make their home folder if it doesn't find a match for the LDAP attribute value, or if that home folder didn't exist. |
Multiple server URLs supported, for high availability, the plugin will round robin between these, need to enter those as comma separated list. |
At line 15 changed one line |
You can specify a 'master' type user from the user manage to load additional settings and customizations from. |
The plugin also allows multiple instances, this feature facilitates integration with different user domains or to have different configurations to catch a certain subset of users, etc. The query order is left to right, as the instances appear on the tab list. First successful hit allows login, we look for the user no further. |
At line 17 changed one line |
The overwrite VFS items should not be used if you login with multiple accounts at the same time. It clears out the user's temp VFS every time they login in case you have removed access to something. |
[attachments|ldapconn3.png] |
At line 19 changed one line |
[attachments|crushldapgroup2.png] |
Each plugin instance can restrict the allowed users to certain server ports or Sever Connection Groups |
|
[attachments|ldapconn2.png] |
!!!2. LDAP user lookup |
!Search base location: |
This field needs to be pointed to the root of the LDAP tree or full path to some container OU. LDAP objects outside this path will not be visible to the plugin. |
|
!Search filter: |
This field needs to contain some unique LDAP attribute name, like __sAMAccountName__ for plain username or __userPrincipalName__ for the user FQDN as allowed username format. We can also automatically round robin between these if the __On login, make two attempts...__ option is enabled. This field also allows more complex LDAP filter expressions , an example for enabled user accounts only |
{{{ |
(&(objectClass=user)(objectCategory=person)(sAMAccountname=?)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
}}} |
!Lookup parameters: |
[{Image src='ldaplookupsettings1.jpg' width='..' height='..' align='left' style='..' class='..' }] |
\\ |
;On login, make two attempts using username, and fully qualified username:try to look up the user by both it's FQDN and it's plain user name. This allows to log in by plain username (sAMAccountName) even if the __Search Filter__ is set to userPrincipalName |
;Relay LDAP error message to user logging in:in case of access denied, show the LDAP error in the Webinterface or client application along with our standard error message |
;Prefer simple username on login attempt:prioritize user lookup by it's sAMAcountName if the __Search Filter__ is set to anything else. With this flag set, on failure we'll make an attempt with simple username appended with the lookup admin user's domain suffix, v10 specific. |
;Notify Locked Account:If an account becomes disabled or locked, this option triggers sending an email to the LDAP User's email address. |
A special email template must be set up for this with the exact name of "LDAP_Locked_Account" on Preferences -> Email Templates page. |
The "Email address cache" option had been removed from the GUI, a hidden setting now, default 30 minutes. This option prevents the server of sending multiple emails. |
CrushFTP v10 can discern between LDAP error code 49 subtypes, the above method will provide meaningful feedback for subcode 52e, 773 and 775. The {user_ldap_last_error} server variable |
can be used to reveal these in the notification email body. |
;Allow reverse role lookup:validate role membership by checking the user's memberOf attribute against the roles list |
;Allow forward role lookup:validate role membership by checking all roles' member attribute for the user DN |
One of the role lookup methods is mandatory for role based lookup to work. |
;Validate this plugin before calling other plugins:in case multiple integration plugins are linked together, call the LDAP plugin first ( for example in case of RADIUS & LDAP ) |
\\ |
!Roles and inheritance |
Roles allow filtering on LDAP group membership. Each role has two options, a role filter and an optional role template field. Each role filter needs to be set a full LDAP path to a security group as of the user object's memberOf attribute value.\\ |
\\ |
__IMPORTANT:__ in case an LDAP user is member of multiple Roles, inherited settings will follow the hierarchy of the Roles order, topmost item has the least prevalence, while lowmost one in the list, the highest. This means |
the same setting that is configured on multiple Role Template accounts will be inherited from the last Role in the list. Exception being the per-role VFS directories inherited, these cumulate.\\ |
\\ |
[attachments|roles1.png]\\ |
\\ |
A role template is a local CrushFTP user account for parenting group membership based inheritance. In case such a role template is assigned, all LDAP users member of this group will inherit settings from this account, including it's __VFS__ configuration; this can be used to grant per group based common working directories or local admin rights for example. |
|
|
A master template can also be designated , with instance wide scope |
|
[attachments|roles2.png] |
|
!!!3. Home folder access |
|
__IMPORTANT:__ the user will be denied login in case of an invalid home directory configuration or (local) home directory path not accessible. |
\\ |
!LDAP used for authentication only |
With this option if is enabled, the plugin will match the logging in user name against the local user database, in case of a successful match, the user is allowed to log in with it's LDAP password, and the user settings, including it's VFS configuration, is loaded from the local account. This method allows the most fine grained control over each LDAP integrated account, with the cost of being tedious, will need to create for each allowed user a matching account in User Manager __manually__ (with blank or random password, since that will be ignored anyways). |
|
[attachments|homedir0.png] |
|
!LDAP home directory or local home directory |
This method is used if the above option is not enabled. The plugin will attempt to grant the user folder access to a path loaded from an LDAP attribute value or assign a local folder path. In this case __local__ doesn't necessarily means a local folder on the CrushFTP server host itself, we do support network share |
access via UNC paths or any of the supported remote networking protocols based URLs (FTP, SMB, etc.). |
|
!HomeDirectory field |
If this contains a valid LDAP attribute name, the plugin will attempt to grant access to the path contained by the attribute as it's value. In case of Microsoft Active DIrectory, this field should be set to __homeDirectory__, in case of Linux SLAPD, to __unixHomeDirectory__, etc. or any arbitrary LDAP attribute containing a single folder path or coma separated list of paths. To disable, set this field value to __NA__ (or any arbitrary value __not__ matching an LDAP attribute name). |
[attachments|homedir1.png] |
!Use local folder if LDAP's HomeDirectory not found |
In case this option is enabled, and loading a valid path as per above section config, failed, the plugin will attempt to grant local folder |
access within a root folder pointed to by the __Path__ field value. Set the __Append username to path__ and __Create folder with username__ to create individual, username based |
home directories. |
A more advanced use case is to honor ACL permissions using an SMB:// URL and server variables to dynamically reference user credentials at login time |
{{{ |
SMB3://INTRANET{backslash}{username}:{password}@srv11.intranet.local/SHAREROOT/ |
}}} |
|
[attachments|homedir2.png] |
|
The __Create additional subfolders in home directory :__ section instructs the plugin to automatically create a pre defined set of subfolders below the user's home directory root. |
|
In stream PGP file Encryption and Sync can be configured using the __Advanced__ menu. |
!!!4. Key mapping |
This section allows mapping of LDAP attributes to local user parameters. Most common use case LDAP integration with SSH user public key based authentication. |
In this case, an otherwise redundant LDAP field, __description__ was used to store the user public key path (or the key file content).\\ |
__IMPORTANT:__ LDAP user email address is automatically mapped behind the scenes. This works with most LDAP implementations, we do an implicit mapping of the LDAP user's __mail__attribute value to our specific __user_email__ user attribute. Need only to map manually in case of some non-standard LDAP implementations\\ |
|
[attachments|mapping1.png]. |
|
!!!Troubleshooting |
|
There are separate test tools to validate connectivity and query account credentials |
|
[attachments|trblshoot1.png] |
|
user lookup and role based filtering |
|
[attachments|trblshoot2.png] |
|
and user login (without the need of the actual end user password, the test tool will fake a login based on user lookup and validate home folder access) |
|
[attachments|trblshoot3.png] |
\\ |
---- |
!!!AutoMap |
LDAP for enterprise customers also supports "automap" feature for the groups. You configure a single role with the name "automap", and the groups that are found from the memberOf attribute (which must be in full DN notation). Then all groups the user is a member of are searched for in the User Manager to find a matching usermanager and they are assigned to them. |
---- |
!!!MFA |
See [CrushLDAPGroupMFA] for info on how to make CrushFTP v11 do MFA for LDAP. |